Hacker News’ top story today was on vulnerabilities found in implantable pacemakers. It’s a troubling thought, particularly in conjunction with the recent (and preventable) ransomware attacks. What would you pay to unlock your pacemaker?
Is it a real risk? Fans of Showtime’s Homeland would tell you it is, and Dick Cheney would agree. Researcher Barnaby Jack was scheduled to demonstrate a remote hack on pacemakers at Black Hat 2013, but tragically passed away days before the event.
So what’s different this time? A much more straightforward approach, for one thing. Security researchers Billy Rios and Jonathan Butts acquired pacemakers and supporting hardware and software for four different brands, and looked for weaknesses in architecture and execution. One of the biggest issues they found was one we see time and again — unpatched software libraries.
Security Changes with Time
We need to remember that secure software is an ephemeral concept. What we think of as secure today can change overnight as new vulnerabilities are discovered and disclosed. As code ages, more vulnerabilities are likely to be disclosed.
Black Duck’s 2017 Open Source Security and Risk Analysis (OSSRA) research found that the average commercial application included almost 150 discrete open source components, and that 67% of the applications included vulnerable open source components. Here is how that stacks up to Rios and Butts’ research.
Use of Open Source
All four pacemakers used open source extensively, with over 86 unique components on average. Likewise, Black Duck found open source in 96% of the applications it reviewed across all industries, but with a far higher count of unique components — 147 unique components on average. This discrepancy could be due to missed components or dependencies. It can be difficult to find all of them manually.
All four pacemakers examined contained open source components with vulnerabilities, and roughly 50% of all components included vulnerabilities. Most shockingly, the pacemakers had an average of 50 vulnerabilities per vulnerable component and over 2,000 vulnerabilities per vendor. This is far higher than what Black Duck found in its review of over 1,000 commercial applications, where the average vulnerable applications included fewer than 30 vulnerabilities.
What Accounts for the Difference?
It could be a number of things. The researchers (wisely) did not disclose which pacemakers they acquired, but since they were purchased from auction sites, we can assume they were not newer models. As previously stated, older code is likely to have had more vulnerabilities disclosed.
Second, it’s not clear if the researchers checked for software/firmware updates from the vendors prior to analysis. Since these were not products under support agreements, my assumption is that they did not.
This may not matter, however. Our research shows that vendors are typically unaware of all of the open source they use, since it can enter the code base in so many ways. On average, prior to using Black Duck our customers are aware of less than half of the 3rd party libraries they use.
What Should Manufacturers of Medical Devices Do?
It’s important to remember that the problem here isn’t the use of open source. It’s the fact that open source is often invisible to the organizations. Developers understand the functional requirements for the software, and pull in open source to help meet those requirements. This lowers development costs and accelerates time to market.
Unless organizations carefully track the open source they use, and map those to the thousands of vulnerabilities disclosed in open source every year (though still less than those reported in commercial code) they are unable to protect their applications — and their customers — from vulnerabilities.
These vulnerabilities may open up users to targeted or non-targeted attacks. Depending on the software (home monitoring, physician, programmer, etc.) the attack could affect a single patient or an entire practice. The potential for monetary gain is very real; the healthcare provider in an attack may have to choose between a ransom and the welfare of its patients.
If the attack is on implantable medical devices, this can become a life or death decision.